Application Access Policies
Requirements: Active Exchange Administrator Role and App Registration with application permissions granted.
Requirements
Exchange Administrator
Global Administrator (If you haven't yet granted the Application permission)
Application Access Polices
Generally Application Permissions allow an Azure App Registration to access a certain type of data within the whole tenant.
For example the Application Permission Calendars.ReadWrite grants Accessaccess to every calendar in every mailbox in the Exchange Online enviromnent.environment.
Use case
If, for example, you want to grant an App Registration the Read and Write permission on just 15 calendars, you can do so with an Application Access Policy.
Creating an Application Access Policy
To create an Application Access Policy, you first have to create your App Registration and grant the any Application permission.
After that you need to create a Mail Enabled Security Group in the Exchange Environment and add the Mailboxes, on which the App Registration' permission shall be activated.
Now you can create the Application Access Policy with the following Command (Need be Connected to ExchangeOnline with an Exchange Administrator):
New-ApplicationAccessPolicy -AppId "<App ID>" -PolicyScopeGroupId "<Primary SMTP Address of MESG>" -Description "<Enter a Custom Description>" -AccessRight Restrict
Example
New-ApplicationAccessPolicy -AppId "8ac33c24-5d07-4a6e-8b5c-14hsi1912722" -PolicyScopeGroupId "test@mydomain.com" -Description "Restricts Access of App X to MESG Y" -AccessRight Restrict